Initially the backdoor PHP code is generated using payloads containing main PHP system functions that operate under a basic Cookie handling mechanism. This code is then injected, after which the client can send shell commands hidden in Cookie headers obfuscated with base64 encoding. On the server side the shell command is executed and the output is transmitted back to client hidden (base64 encoded too) in Cookie headers.

ReadMe
https://github.com/anestisb/WeBaCoo/#readme

Download
http://github.com/anestisb/WeBaCoo/zipball/master